What Is SMB1001 and Does Your Business Need It?

For years, Australian small and medium businesses have been told to follow cyber security frameworks designed for someone else. The Essential Eight came from federal government. ISO 27001 came from large enterprise. NIST came from US federal agencies. All useful, all applicable, all written without a forty-person professional services firm in mind.

SMB1001 is different. It is the first cyber security standard published specifically for small and medium business in Australia, with the controls scoped, sized, and priced for organisations that do not have a dedicated security team.

Whether your business needs it depends on your size, your industry, and what your clients and insurers are starting to ask for. Here is the honest version.

What SMB1001 is

SMB1001 is published by the Council of Small Business Organisations Australia in partnership with industry. It is structured as a tiered standard: a baseline of basic controls that almost any business can implement, and additional layers for organisations with more sensitive data or more complex environments.

The standard is built around five tiers, sometimes referred to by colour. The core idea is that a sole trader and a one-hundred-person professional services firm are not in the same risk category, and they should not be expected to implement the same controls. SMB1001 lets a business find the level that matches its size, then certify against it.

The controls themselves are practical. Multi-factor authentication. Patching. Backups. Endpoint protection. Awareness training. Incident response. The same controls you find in every other framework. The difference is in how they are described, what evidence is required, and how the assessment is run.

How it differs from the Essential Eight

If you have spent any time on Essential Eight, the obvious question is: do I need both?

The short answer is that they overlap heavily and serve different audiences. The longer answer is worth understanding.

The Essential Eight is published by the Australian Signals Directorate. It is technical, control-focused, and specific. It tells you what to do and to what standard, with three maturity levels. It is widely referenced in government tenders and increasingly in corporate procurement.

SMB1001 is broader and more programmatic. It covers the same technical ground at the lower tiers, but it also includes the surrounding governance: policies, training, incident response readiness, supplier management. It is designed to be a complete cyber security program for an SMB, not just a set of mitigations.

In practice, an SMB that has reached Maturity Level One on the Essential Eight will satisfy most of the technical content of the lower SMB1001 tiers. They will then need to do work on the policy, training, and governance side to certify. Conversely, a business that holds an SMB1001 certification can reasonably claim alignment with the Essential Eight controls covered at their tier.

If you only do one, do the Essential Eight. If your clients or insurers are asking specifically for SMB1001, do both, but build on the Essential Eight foundation.

Which tier applies to your business

The right tier depends on three things: how many staff you have, how sensitive your data is, and what your clients require.

A sole trader or microbusiness with under five staff and no client data of consequence belongs at the entry tier. The aim there is basic hygiene: MFA, backups, patched devices, a working antivirus. Most owner-operators can self-implement against this tier with one weekend of focused work.

A small business of five to twenty staff in a low-risk industry sits at the next tier up. The controls add policy and training, basic incident response, and a more deliberate backup posture. This is the tier where most accounting firms, marketing agencies, and small professional service firms will land.

Mid-tier SMBs of twenty to one hundred staff, or smaller businesses handling sensitive data such as health, legal, or financial information, belong at the middle tiers. Here the program adds vendor management, more rigorous access control, formal incident response, and evidence requirements that often need an external assessor.

Larger SMBs and any business that handles regulated data sit at the upper tiers. By that point you are well into territory that overlaps with ISO 27001 or NIST, and the question becomes which standard your clients are asking for, not whether you need a serious program.

The honest test for any tier is: if a client or an insurer asked you to demonstrate you have implemented these controls, could you produce the evidence in an afternoon? If the answer is no, you have work to do at that tier regardless of certification.

What insurers are starting to require

This is the change that has made SMB1001 matter to businesses that would otherwise ignore another standard.

Cyber insurance underwriters in Australia are tightening requirements. We are increasingly seeing applications that ask not just "do you have MFA" but "are you certified or aligned to a recognised SMB cyber framework". For some carriers, SMB1001 is named explicitly. For others, the question is more general but SMB1001 satisfies it.

Two things follow from that.

If you are renewing cyber insurance in the next twelve months, the questions on the application will be more detailed than they were last year. Be ready to either certify against something, or document specifically what you have in place against the controls insurers care about.

If you are answering yes to a control on an insurance application, you must be able to prove it. The most common reason cyber insurance claims are denied is a gap between what the application said and what was actually in place at the time of the incident. SMB1001 alignment, even without formal certification, gives you a documented basis for those answers.

How to get started

If you have done nothing on cyber security in a structured way, the first step is not to certify against SMB1001. The first step is to know where you stand.

A gap assessment, sometimes called a readiness assessment, takes a week or two for a typical small business. A consultant or an internal lead works through the SMB1001 controls at the tier you think you should reach, identifies what is in place, what is partial, and what is missing, and produces a remediation plan.

The output of that assessment is the answer to "do I need SMB1001". For most SMBs, the answer is "you need most of what is in SMB1001 whether or not you certify". The question of whether to pay for formal certification depends on whether your clients or insurers are asking for it specifically.

Either way, the work is the same. Start with the gap assessment, fix the gaps in priority order, and decide on certification at the end.

If you would like a no-obligation gap assessment against SMB1001, our free IT health check includes one. We map your current controls to the relevant tier, produce a prioritised remediation plan, and give you an honest view of how far you are from the certification you may not need to pay for yet.

Learn more about our cybersecurity services